Splunk Search

Calculate traffic split based on URI prefix

Explorer

Hi,

The traffic in our application is routed according to a URI prefix, for example: uri_path=/foo/* or uri_path=/bar/*. How can I produce a pie chart that simply shows the percentage of traffic that went to each uri_path?

0 Karma

Engager

I have a similar situation and found MuS's proposed solution to point me in the right direction. I was getting multi-valued fields for my uriprefix and discovered that `maxmatch=0seemed to be causing that. So, changingmax_match=1` (the default) got me what I was looking for.

base_search | rex field=uri_path max_match=1 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix
0 Karma

SplunkTrust
SplunkTrust

Hi johntopley,

try something like this:

... | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | ...

cheers, MuS

0 Karma

SplunkTrust
SplunkTrust

sure it will not group anything, because there is no stats nor any other command which will do that. So if you take the updated search and add a stats to it will that match your needs?

your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix

I can only try to help and try to lead you, but I cannot write a complete search because I don't have your data....

Explorer

It doesn't group the requests into those that start with /foo/* and those that start with /bar/*.

0 Karma

SplunkTrust
SplunkTrust

how about this:

your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | dedup uri_prefix | ...

0 Karma

Explorer

Thanks, but it gives 100s of different values for uri_prefix instead of the two I want.

0 Karma

Explorer

No, still the same.

0 Karma

SplunkTrust
SplunkTrust

Try the updated search '| rex field=uripath "^/(?<uriprefix>[^/]*)"'. This gives 'bar' and 'foo' from the uri.

0 Karma

Explorer

Thanks, but it still gives 100s of different values for uri_prefix instead of the two I want.

0 Karma

SplunkTrust
SplunkTrust

It seems slashes were removed in the comment field. try this.

your base search| rex field=uripath "^/(?<uriprefix>[^/]*)"| stats count by uri_prefix

0 Karma

Explorer

I get > 100 different values for the uri_prefix field. Lots of different URLs that start with /foo or /bar.

0 Karma

SplunkTrust
SplunkTrust

With the search "your base search| rex field=uripath "^(?<uriprefix>.*)/"", what values you're getting in the field uri_prefix?

0 Karma

Explorer

I don't think that does what I need. I'm expecting two figures: one for all uripaths that start with /foo and another for all uripaths that start with /bar.

0 Karma

SplunkTrust
SplunkTrust

Then (based on your example, your just need first part of uri, '/foo' and '/bar'), try this.

your base search| rex field=uripath "^(?<uriprefix>.*)\/"| stats count by uri_prefix

Explorer

Thanks, but uripath contains numerous values. I need the grouping by uripath prefix.

0 Karma

SplunkTrust
SplunkTrust

If this field is extracted try this.

your base search | stats count by uripath
or
your base search | chart count by uri
path

and use pie chart as visualisation.

0 Karma